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Abstract 

On August 2002, Agrawal, Kayal and Saxena announced the first deterministic and poly- 
nomial time primality testing algorithm. For an input n, the AKS algorithm runs in heuristical 
time O(log^ri). Verification takes roughly the same amount of time. On the other hand, the 
Elliptic Curve Primality Proving algorithm (ECPP), runs in random heuristical time 0(log® n) 
( O(log^n) if the fast multiplication is used), and generates certificates which can be easily 
verified. More recently, Berrizbeitia gave a variant of the AKS algorithm, in which some 
primes cost much less time to prove than a general prime does. In this paper, we explore 
the possibility of combining the ideas in these celebrated algorithms to design a more efficient 
algorithm. A random primality proving algorithm with heuristic time complexity 0(log^ n) 
is presented. It generates a certificate of primality which is O(logn) bits long and can be 
verified in deterministic time 0(log^ n). The reduction in time complexity is achieved by first 
generalizing Berrizbeitia's algorithm to one which has higher density of easily-proved primes. 
For a general prime, one round of ECPP is deployed to reduce its primality proof to the proof 
of a random easily-proved prime. 

1 Introduction 

Testing whether a number is prime or not is one of the fundamental problems in computational 
number theory. It has wide applications in computer science, especially in cryptography. After 
tremendous efforts invested by researchers in about two hundred years, it was finally proved by 
Agrawal, Kayal and Saxena pi that the set of primes is in the complexity class P. For a given 
integer n, the AKS algorithm runs in time no longer than 0(log^^ n), while the best deterministic 
algorithm before it has sub exponential complexity 'V. Under a reasonable conjecture, The AKS 
algorithm should give out answer in time 0(log^ n). 

Notation: In this paper, we use "In" for logarithm base e and "log" for logarithm base 2. 
We write r°||n, if r"|n but r'^+^ j^n. By 0{f{n)), we mean 0(/(n)polylog(/(n))). 

The AKS algorithm is based on the derandomization of a polynomial identity testing. It 
involves many iterations of polynomial modular exponentiation. To test the primality of a integer 
n, the algorithm first searches for a suitable r, which is provably O(log^n), or heuristically 
O(log^n). Then the algorithm will check for s from 1 to 5 = \2^/rlogr^], whether 

s)" = x" s (mod n,a;'' - 1). (1) 

The algorithm declares that n is a prime if all the checks pass. The computing of (x -|- s)"" 
(mod n, — 1) takes time 0(r log^ n) if we use the fast multiplication. The total time complexity 
is thus O(rS'log^n). 
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While the AKS algorithm is a great accomplishment in the theory, the current version is 
very slow. Unless its time complexity can be dramatically improved, it cannot replace random 
primality testing algorithms with better efficiency. In most of applications in cryptography, an 
efficient random algorithm is sufficient, as long as the algorithm can generate a certificate of 
primality, which in deterministic time convinces a verifier who does not believe any number theory 
conjectures. A primality testing algorithm which generates a certificate of primality is sometimes 
called primality proving algorithm. Similarly a primality testing algorithm which generates a 
certificate of compositeness is sometimes called compositeness proving algorithm. Very efficient 
random compositeness proving algorithms have long been known. Curiously, primality proving 
algorithms lag far behind of compositeness proving algorithms in term of efficiency and simplicity. 

Recently, Berrizbeitia j6l proposed a brilliant modification to the AKS original algorithm. He 
used the polynomial x'^'' — a instead of — 1 in equation (^, where 2^* ~ log^n. Among others, 
he was able to prove the following proposition: 

Proposition 1 Given an integer n = 1 (mod 4). Denote s = [2 log log n]. Assume that 2'=||n-l 
and k > s. If there exists an integer a, such that (^) = —1 and = —1 (mod n), then 

(1 + x)" = 1 + (mod n, x^' - a) 

iff n is a power of a prime. 

Unlike the AKS algorithm, where each prime costs roughly the same, there are "easily-proved 
primes" in Berrizbeitia's algorithm, namely, the primes p where p — 1 has a factor of a power of 
two larger than log^ n. For those primes, one iteration of polynomial modular exponentiation, 
which runs in time 0(log^ n), establishes the primality of p, provided that a suitable a exists. In 
fact, a can be found easily if n is indeed a prime and randomness is allowed in the algorithm. It 
serves as a prime certificate for n. 

Definition 1 In this paper, for a primality proving algorithm, we call a prime p easily-proved, if 
the algorithm runs in expected time O(log^p) on p. 

What is the density of the easily-proved primes in Berrizbeitia's algorithm? Heuristically for 
a random prime p, p — 1 should have probability j^^^r^ to have a factor 2* ~ log^ p, hence the 

easily-proved primes have density j^^^r^ around p in his algorithm. 
1.1 Increasing the density of easily-proved primes 

We prove the following theorem in Section |S1 which can be regarded as a generalization of Propo- 
sition n 

Theorem 1 (Main) Given a number n which is not a power of an integer. Suppose that there 
exists a prime r, r"||n — l(a > 1) and r > log^ n. In addition, there exists a number 1 < a < n, 
such that dF =1 (mod n), gcd{aJ' — = 1, and 

(l + x)" = l + x" (modn,x''-a), 

then n is a prime. 
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The number a can be found easily if n is a prime and randomness is allowed. It serves as a 
prime certificate for n. Base on this theorem, we propose a random algorithm which establishes 
the primality of p in time O(log^p) if p — 1 contains a prime factor between log^p and Clog^ p 
for some small constant C. 

Definition 2 We call a positive integer n C-good, ifn — 1 has a prime factor p such that log^ n < 
p < Clog^ n. 

What is the density of C-good primes? Apparently the density should be higher than the density 
of easily-proved primes in Berrizbeitia's algorithm. Let m = Yl^ prime bi<p<Cbi P- Fi^'st we count 
the number of integers between 1 and m which have a prime factor between bi and Cbi. This is 
precisely the number of zero-divisors in ring Z/mZ: 

(m — 1) — m TT (1 ). 

±x p 

p primc,fei<p<C6i 

We will prove in Section 0] that this number is greater than for C = c and hi sufficiently 
large, where c is an absolute constant to be determined later. To analyze the time complexity of 
our algorithm, we mainly concern the density of 2-good primes in short intervals. For simplicity, 
we call a number good, when it is 2-good. Since compared with log^ n, n is very big, we expect 
that 

Conjecture 1 There exists an absolute constant A, such that for any sufficiently large integer n, 

Number of 2 — good primes between n — 2y/n + 1 and n + 2y/n + 1 A 

Number of primes between n — 2^Jn -|- 1 and n -|- -|- 1 ln(log^ n) 

We are unable to prove this inequality however, but we present in the paper some numerical 
evidences. We comment that questions about the prime distribution in a short interval are usually 
very hard to answer. 

1.2 Algorithm for the general primes 

For general primes, we apply the idea in the Elliptic Curve Primality Proving algorithm (ECPP). 
ECPP was proposed by Goldwasser, Kilian U and Atkin jH] and implemented by Atkin and 
Morain [^. In practice, ECPP performs much better than the current version of AKS. It has 
been used to prove primality of numbers up to thousands of decimal digits ^ . 

In ECPP, if we want to prove that an integer n is a prime, we reduce the problem to the proof 
of primality of a smaller number (less than n/2). To achieve this, we try to find an elliptic curve 
with Lon! points over Z/nZ, where lo is completely factored and n! is a probable prime greater 
than {^\fn^ 1)^. Once we have such a curve and a point on the curve with order n', the primality 
of n! implies the primality of n. Since point counting on elliptic curves is expensive, we usually 
use the elliptic curves with complex multiplications of small discriminants. Nonetheless, it is 
plausible to assume that the order of the curve has the desired form with the same probability 
as a random integer does. ECPP needs O(logn) rounds of reductions to eventually reduce the 
problem to a primality proof of a very small prime, say, less than 1000. As observed in 0, one 
round of reduction takes heuristic time O(log^n), or O(log^n) if we use the fast multiplication. 
To get the time complexity, it is assumed that the number of primes between n — 2^/n + 1 and 
n + 2^/n -|- 1 is greater than ^/n/ log^ n, and the number of points on an elliptic curve with small 



discriminant complex multiplication behaves like a random number in the Hassa range. We refer 
the assumption as the ECPP heuristics. Rigorous proof of the time complexity seems out of reach, 
as it involves the study of the prime distribution in a short interval. 

Our algorithm can be decomposed into two stages. In the first stage, for a general probable 
prime n, we will use one round of ECPP to reduce its proof of primality to a good probable 
prime n' near n. For convenience, we require that n — 2y/n + 1 < n' < n + + 1 (See 
section El for implementation issues). Note that up to a constant factor, the time complexity of 
one round reduction in ECPP is equivalent to the time complexity of finding a curve with a prime 
order. In the set of primes between n — I^Jn + 1 and n + + 1, the density of good primes 
is ^^^Qgia by conjecture. Hence heuristically the extra condition on n' (that n' should he good) 
will increase the time complexity merely by a factor o/ O(loglogn). Therefore for all the primes, 
without significant increase of time complexity, we reduce its primality proving to the proof of 
a good prime. In the second stage, we find a primality certificate for n' . To do this, we search 
for a which satisfies the conditions in the main theorem, and compute the polynomial modular 
exponentiation. Heuristically, the total expected running time of the first and the second stages 
becomes 0(log^ n). However, due to the short interval of the number of points over elliptic curves, 
it seems difficult to obtain the rigorous time complexity. Put it altogether, we now have a general 
purpose prime proving algorithm, which has following properties: 

1. it runs very fast (O(log^n) ) assuming reasonable heuristics. 

2. For many primes, ECPP subroutine is not needed. 

3. The certificate, which consists of the curve, a point on the curve with order n', n' and a, is 
very short. It consists of only O(logn) bits as opposed to 0(log^ n) bits in ECPP. 

4. A verifier can be convinced in deterministic time 0(log^ n). In fact, the most time consuming 
part in the verification is the iteration of polynomial modular exponentiation. 

This paper is organized as following: In Section |2 we review the propositions used by AKS 
and ECPP to prove primality. In Section we describe our algorithm and present the time 
complexity analysis. In Section [IJ we prove a theorem which can be regarded as an evidence for 
the density heuristics. The main theorem is proved in Section [3 We conclude this paper with 
some discussions on the implementation of the algorithm. 

2 Proving primality in AKS and ECPP 

The ECPP algorithm depends on rounds of reductions of the proof of primality of a prime to the 
proof of primality of a smaller prime. The most remarkable feature of ECPP is that a verifier 
who does not believe any conjectures can be convinced in time 0(log^ n) if the fast multiplication 
is used. It is based on the following proposition [3]. 

Proposition 2 Let N he an integer prime to Q, E he an elliptic curve over Z/A^Z, together with 
a point P on E and two integers m and s with s\m. Denote the infinite point on E hy O. For each 
prime divisor q of s, denote {m/q)P hy (xg : yq : Zg). Assume that mP = O and gcd{zg,N) = 1 
for all q. If s > (v^ + 1)^, then N is a prime. 
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The certificate for N in ECPP consists of the curve E, the point P, m, s and the certificate 
of primality of s. Usuahy the ECPP algorithm uses elhptic curves with complex multiplications 
of small discriminants. For implementation details, see |^. 

The AKS algorithm proves a number is a prime through the following proposition. 

Proposition 3 Let n be a positive integer. Let q and r be prime numbers. Let S be a finite set 
of integers. Assume 

1. that q divides r — 1; 

r-l 

2. that n 1 ^ 0, 1 (mod r); 

3. that gcd{n, b — b') = 1 for all the distinct b, b' G S; 
I that >n2Lv^J; 

5. that {x + 6)" = + 6 (mod x"" - 1, n) for all be S. 
Then n is a power of a prime. 

3 Description and time complexity analysis of our algorithm 

Now we are ready to sketch our algorithm. 
Input: a positive integer n 

Output: a certificate of primality of n, or "composite". 

1. If n is a power of an integer, return "composite". 

2. In parallel run a composite proving algorithm, for example, the Rabin-Miller testing 
Page 282], on n. 

3. If n — 1 contains a prime factor between log^ n and 21og^ n, skip this step. Otherwise, call 
ECPP to find an elliptic curve on Z/nZi with n' points, where n' is a probable prime and 
n' is 2-good. Set n = n' . Let r be the prime factor of n — 1 satisfying log^ n < r < 2 log^ n. 

4. Randomly select a number 1 < 6 < n. If ^ 1 (mod n), output "composite" and exit. 

5. Let a = b~^ (mod n); If a = 1, or a^" ^ = 1, go back to step|l| 

6. If gcd{a'^°' ^ — l,n) 7^ 1, output "composite" and exit. 

7. If (1 + x)" 7^ 1 + x" (mod n, x^ — a), return "composite"; 

8. Use ECPP procedure to construct the curve and the point and compute the order. Output 
them with a. Return "prime" ; 

Testing whether a number n is good or not can be done in time O(log^n). The step 01 takes 
time O(log^n), if the ECPP heuristics is true. Conjecture Q in the introduction section is true, 
and the fast multiplication algorithm is used. 

If n is indeed a prime, then the probability of going back in step [3] is at most 1/r. The 
step El takes time at most O(log^n). The step Intakes time O(log^n), since r < 21og^n. Hence 
the heuristic expected running time of our algorithm is Oilog^n). Obviously the verification 
algorithm takes deterministic time O(log^n). 



4 Density of good numbers 



What is the probabihty that a random number has a prime factor between bi and 62 = c6i? Let 
m = Y\p prime fei<p<b2 P' compute the density of integers between 1 and m — 1 which has 

a prime factor between bi and 62- Those numbers are precisely the zero-divisors in Z/mZ. The 
number of non-zero-divisors between 1 and m is 4>{m) = mY[p prime fei<p<fe2 ~ p)' '^^i^re (f> is the 
Euler phi-function. First we estimate the quantity: 



= n (1 - ^) 



p 

p prime, f)i<i<fe2 

It is known [TOl that np<x,p prime(l ~ p) = lr^(l + ^(hTj))' where 7 is the Euler constant. 
There must exist two absolute constants ci , C2 , such that 

— (! + —)< TT (!--)<— (1 + ^) 
Inx Inx p In a; Inx 

p<x,p prime 



Set c = e^2-ci+2_ 



n 



1^ rip prime,p<62^^ p^ 



^ Op prime,p<f)i p. 

< 



p prime,fei<p<fe2 1 Ip prime,pS6i ^ p^ 

ln6i 1 + ^ 



In cfei 



In^ bi + (lnc + C2)ln^ fei 



In-* 61 + (2 In c + ci) In"' 61 + (In"' c + 2ci In c) In bi + c\ c 

rpi 1 o (In c+ci — C2) In^ bl — (In^ c+2c2 Inc) In 61— C2 In^ c ^1 i t ■ rc • j.i 

Thus 1 — pft, ho = , 3, , — 2,1/1 2 — — / , — > iTTTT) when 61 is sumciently 

'-'"I, "2 In'^ tii+(21nc+ci) In^ 6i + (ln^ c+2ci Inc) Inbi+ci In^ c Inbi' ^ J 

large. It is expected that the density of good primes in the set of primes in a large interval should 
not be very far away from jj^- See Tabled for numerical data concerning the density of 2-good 
primes around 2^^^*^. Notice that 

/?250000,500000 = 0.9472455 
1 - /3250000,500000 = 0.0527545 

^ 0.0804556 



In 250000 



5 Proof of the main theorem 

In this section we prove the main theorem. It is built on a series of lemmas. Most of them are 
straight-forward generalizations of the lemmas in Berrizbeitia's paper [B]. We include slightly 
different proofs of those lemmas, though, for completeness. Some of the proofs are brief, for 
details see (HI- 

Lemma 1 Let r,p be primes, r\p — 1. If a £ Fp is not a r-th power of any element in Fp, then 
— a is irreducible over Fp . 



Table 1: Number of 2-good primes around 2 



From 


To 


Number of primes 


Number of 2-good primes 


Ratio 


25UU + 


25UU + 200000 


576 


35 


6.07% 


25UU _^ 200000 


2500 _^ 400000 


558 


38 


6.81% 


25UU _^ 400000 


2^u" + 600000 


539 


30 


5.56% 


2^^" + 600000 


2^"" + 800000 


568 


23 


4.05% 


2^^" + 800000 


25UU ^ 1000000 


611 


39 


6.38% 


25UU + 1000000 


250U + 1200000 


566 


26 


4.59% 


25UU _^ 1200000 


2500 _^ 1400000 


566 


38 


6.71% 


25UU _^ 1400000 


2500 _^ 1600000 


526 


27 


5.13% 


25UU 1600000 


2500 ^ 1800000 


580 


26 


4.48% 


2''"" + 1800000 


2''"" + 2000000 


563 


20 


3.55% 


2&tJU + 2000000 


2500 ^ 2200000 


562 


22 


3.91% 


25UU _^ 2200000 


2500 j_ 2400000 


561 


21 


3.74% 


25UU _^ 2400000 


2&UU _^ 2600000 


609 


34 


5.58% 


25UU ^ 2600000 


25UU + 2800000 


601 


28 


4.66% 


25UU + 2800000 


2^"^^ + 3000000 


603 


33 


5.47% 


2'^'^'J + 3000000 


2'^'^^' + 3200000 


579 


37 


6.39% 


2^uu _^ 3200000 


2500 ^ 3400000 


576 


31 


5.38% 


25UU ^ 3400000 


2^^^ + 3600000 


604 


35 


5.79% 


2''"" + 3600000 


2''"" + 3800000 


612 


10 


6.53% 


2=^"^' + 3800000 


2500 _^ 4000000 


588 


29 


4.93% 


25UU _^ 4000000 


2500 j_ 4200000 


574 


33 


5.75% 


25UU _^ 4200000 


25U0 _^ 4400000 


609 


27 


4.43% 


+ 4400000 


25UU + 4600000 


549 


35 


6.37% 


25UU _|„ 4600000 


2500 _^ 4800000 


561 


30 


5.34% 


2^uu _^ 4800000 


2^^^^^ + 5000000 


545 


29 


5.32% 


2^"" + 5000000 


2500 ^ 5200000 


590 


20 


3.39% 


25UU ^ 5200000 


2500 ^ 5400000 


557 


27 


4.84% 


2&UU ^ 5400000 


2^'J'J + 5600000 


591 


28 


4.73% 


2^'^" + 5600000 


2^"^^ + 5800000 


517 


33 


6.38% 


2^"^^ + 5800000 


2^"^" + 6000000 


566 


18 


3.18% 


25UU 6000000 


25U0 _^ 6200000 


575 


30 


5.21% 


25UU ^ 6200000 


25UU + 6400000 


573 


26 


4.53% 


2^^^ + 6400000 


2*^"^ + 6600000 


558 


36 


6.45% 


2'^'^'^ + 6600000 


2^'^'J + 6800000 


574 


32 


5.57% 


2^"" + 6800000 


2500 _^ 7000000 


594 


22 


3.70% 


25UU ^ 7000000 


25UU ^ 7200000 


596 


31 


5.20% 


25UU ^ 7200000 


2500 _^ 7400000 


567 


26 


4.58% 


25UU _^ 7400000 


2500 _^ 7600000 


619 


28 


4.52% 


2500 _^ 7600000 


2500 ^ 7800000 


565 


25 


4.42% 


2500 _^ 7800000 


2=^"" + 8000000 


561 


25 


4.45% 


2^"^ + 8000000 


25UU + 8200000 


570 


26 


4.56% 
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Proof: Let be one of the roots of x'' — a = 0. Certainly \Fp{9) : Fp] > 1. Let ^ G Fp be one 
of the r-th primitive roots of unity. 

_a = x'- -6"- = Y[ {x-CO). 

0<i<r-l 

Let [Fp{e) : Fp] = r'. Then for all i, [Fp(f 6') : Fp] = r'. Hence x'' - a will be factored into 
polynomials of degree r' only. Since r is a prime, this is impossible, unless that r' = r. □ 

Lemma 2 Let n > 2 be an integer. Let r be a prime and r°||n — 1. Suppose that there exists a 
integer 1 < a < n such that 

1. a^" = 1 (mod n); 

2. gcdia''"'' - l,n) = 1; 

Then there must exist a prime factor p of n, such that r"| |p — 1 and a is not a r-th power of any 
element in Fp. 

Proof: For any prime factor q oi n, a^" = 1 (mod q) and a^" ^ ^ 1 (mod g), so r'^|g — 1. If 
_ \ for all the prime factors, then r°+^jn — 1, contradiction. Hence there exists a prime 
factor p, such that r"||p — 1. Let g he & generator in F*. li a = g^ in Fp, then p — l|tr", and 
p-l /ftr°-^ Hence r j(t. □ 

In the following text, we assume that n is an integer, n = p^d where p is a prime and gcd(p, d) = 
1. Assume r is a prime and r\p — 1. Let a:;*" — a be an irreducible polynomial in Fp. Let 9 be one of 
the roots of x'^ — a. For any element in the field Fp{9), we can find a unique polynomial / G Fp[a;] 
of degree less than r such that the element can be represented by f{0). Define am '■ Fp{6) — Fp{9) 
asa{f{9)) = f{9^). 

Lemma 3 We have that = a in Fp iff a^i G Gal{Fp{9)/Fp). 

Proof: (^): Since am G Gal{Fp{9)/Fp), 9"" must be a root of a;'' - a. Hence a = {9"'Y = a"* 
in Fp. 

(=^): For any two elements a, 6 G Fp{9), we need to prove that am{a + b) = am{a) + o^mib) 
and (T„i(a^) = am{a)am{b). The first one is trivial from the definition of am- Let a = fa{9) and 
b = fb{9) where fa{x), fb{x) G Fp[x] has degree less than r — 1. If deg{fa{x)fb{x)) < r — 1, it is 
easy to see that am{ab) = am{a)o'm{b). Now assume that deg{fa{x)fb{x)) > r. Then fa{x)fb{x) = 
h{x) + (x^ — a)p{x) where h{x),p{x) G Fp[x] and deg{h{x)) < r. Then am{ab) = am{h{9)) = 
h{9"') = h{9"') + {a"" - a)p{9"') = h{9"') + (0"^^ - a)p(9"') = fa{9'^)fb{9'^) = am{a)am{b). 

This shows that am is a homomorphism. Now we need to prove that it is one-to-one. It is 
obvious since 9"^ is a root of x*" — a = 0. □ 

Define Gm = {f{9) G Fp{9)*\f{9"') = f{9)"'}. It can be verified that Gm is a group when am 
is in Go/(Fp(^)/Fp). 

Lemma 4 Suppose an G Gal{Fp{9)/Fp). Then for any i,j > 0, a^ipj G Gal{Fp{9)/Fp) and 
Gn Q G^ipj . 



8 



Proof: Notice that the map x — > x^' is a one-to-one map in Fp{9). The equation a"" = a 
imphes that {a'^Y^ = a, hence a*^ = a, and a'^'P^ = a. We have a^ipj S Gal{Fp{6)/Fp). 

Let f{9) e On- Thus = this imphes f{9P''^) = f{9)P''^ = f{9P'Y. So 9p' is 

a solution of /(x*^) = f{xY- Since it is one of the conjugates of 9, 9 must be a solution as 
well. This proves that f{9'^) = f(9Y- Similarly since 9"^ is also one of the conjugates of 9, as 
ad G Gal{Fp{9)/Fp), we have /(6'^ ) = f{9'^Y = fW^- By reduction, f{9'^') = f{9Y^ for A; > 0. 
Hence f{9'^'P') = f{9^'Y' = f{9Y^P'. This implies that f{9) G G^^y . □ 

Lemma 5 If ami,crm2 ^ GaZ(Fp(^)/Fp) and (Tmi = am2, then \Gmi H Gmal divides mi — m2- 

This lemma is straight forward from the definition. 
Lemma 6 Let A = a'"'^ . If {1 + 9) e G„, so is 1 + A'9 for any i = 1, 2, 3, • • • , r - 1. And 

\Gn\ > 2^ 

Proof: If (1 + 9) £ Gn, this means that (1 + 9Y = 1 + (9". It imphes that (1 + 9'Y = 1 + 6*'" 
for any conjugate 9' of 9. Since A is a primitive root of unity in Fp, hence A'9 are conjugates of 
9. We have (1 + A'9Y = 1 + {A'9Y = 1 + (^")*6'" and we know that ^" = A. This proves that 
1 + A^9 £ Gn- The group Gn contains all the elements in the set 

r—l r—1 

{l[{l + A^9r\Y,e^<r}, 

i=0 i=0 

by simple counting we have \Gn\ > 2^. 

□ 

Finally we are ready to give the proof of the main theorem (Theorem^ of this paper. 

Proof: Since \Gal{Fp{9)/Fp)\ = r, hence there exist two different pairs (ii,ii) and {12,32) 
with < ii,ji,i2,j2 < [V^\, such that a^npii = crd^2p)2- According to LemmalU G„ C G^npji, 
Gn ^ G^»2p^2) this implies that G„ C Gdnpji nG^i2pi2- Therefore \Gn\ divides d^^p^^ —d^'^p'^, but 
dhpji _ ^i2pj2 < „Lv^J < 2v^l°g" < 2'". hence d'^pi^ - d^^p>^ = 0, which in turn implies that n is 
a power of p. □ 



6 Implementation and conclusion 

In this paper, we propose a random primality proving algorithm which runs in heuristic time 
O(log^n). It generates a certificate of primality of length O(logn) which can be verified in 
deterministic time O(log^n). 

When it comes to implement the algorithm, space is a bigger issues than time. Assume that 
n has 1000 bit, which is the range of practical interests. To compute (1 + x)" (mod n, x*" — a), we 
will have an intermediate polynomial of size 2^° bit, or 128M bytes. As a comparison, ECPP is 
not very demanding on space. In order to make the algorithm available on a desktop PC, space 
efficient exponentiation of 1 + x is highly desirable. This is the case for the original version of the 
AKS algorithm as well. 



Q 



For the sake of theoretical clarity, we use just one round of ECPP reduction in the algorithm. 
To implement the algorithm, it may be better to follow the ECPP algorithm and laTinch the 
iteration of AKS as soon as an intermediate prime becomes good. Again assuming that the 
intermediate primes are distributed randomly in the range, the expected number of rounds will 
be log log n. It is a better strategy since the intermediate primes get smaller and smaller. 

Acknowledgements: We thank Professor Pedro Berrizbeitia for very helpful discussions and 
comments. 
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